Adobe Reader vulnerabilities have been exploited for decades by threat actors taking advantage of the universal use of the utility to fool employees into downloading infected PDF documents through phishing lures.
Now a security researcher says a Reader hole has been quietly exploited by malware for as long as four months, fingerprinting computers to gather information that will allow attackers to steal data and perform further malicious activities.
In a blog this week, Haifei Li said that EXPMON, the publicly-available exploit monitor he runs that scans samples to detect file-based zero-day exploits, had found an initial exploit that abuses the vulnerability in a Reader API.
JavaScript code in the malware that automatically executes when the infected PDF is opened reads files on the compromised computer, collecting information including language settings, the Adobe Reader version number, the exact OS version, and the local path of the PDF file. It then sends the data to a remote server.
This information will be useful to a threat actor planning on launching future attacks, including the installation of remote access tools, Li noted.
Li said in his April 7 report that he tested the malware on what was at the time the latest version of Adobe Reader (26.00121367), and it still worked.
In an update the next day, Li added that a variant dating back to last November had been found by another researcher, which suggests the malware had been in use at least since then.
Adobe was asked for comment on the report, but no reply was received by deadline.
It’s not the first time Adobe Reader has been targeted. Vulnerabilities relating to it date back at least to 2007, when a hole was found in a browser plug-in. Fake Reader updates are another threat actor favorite. User-after-free memory vulnerabilities are also common; researchers at Zeropath last year described one of them, CVE-2025-54257.
Traditional tactics
In addition to applying patches as soon as they are available, infosec leaders need to ensure employees receive regular security awareness training that includes warnings about opening unexpected PDFs, even those seemingly from trusted sources such as co-workers or managers.
Threat actors traditionally use a variety of tactics to trick an employee into opening an email attachment, including using subject lines like “Urgent,” and “Info on bonus.” The attachment itself may be given a name that conveys importance; in this case, the November variant carried the file name “Invoice504.pdf.”
According to a report on this new malware filed with malware scanning site VirusTotal, to which anyone can upload suspicious files for scrutiny, the recipient is to open the attachment specifically with Adobe Acrobat Reader.
A high risk exploit
Kellman Meghu, chief technology officer at Canadian incident response firm DeepCove Security, called the exploit “a very high risk.”
So far it looks as though this particular malware just exfiltrates data, he said. But it implies there is an ability or capability to turn it into a vehicle for remote code execution. “It is a zero click [vulnerability],” Meghu added, “meaning just viewing in a browser or email is likely enough to trigger it.”
CSOs should meet this threat by disabling Acrobat JavaScript, either by default or until there is a patch, he said. “But to be honest,” he added, “I think JavaScript execution is generally a bad idea in Adobe Reader,” so it should be disabled.
Johannes Ullrich, dean of research at the SANS Institute, noted Adobe Acrobat and Reader have often been the targets of sophisticated exploits. These frequently take advantage of features like JavaScript, or leverage the ability to include, or nest, various document types inside a PDF. Many malware filters will detect and flag these types of documents as malicious, he said.
“CSOs should ensure that web proxies and email gateways have filters enabled to not allow PDFs that are not fully standards compliant, and to eliminate PDFs taking advance of known problematic features like JavaScript,” he said. “Any attachment like this should also prominently note that it was received from a source outside the organization.”
“Sadly,” he added, “PDFs are still very common, and can not be completely eliminated.”
Adam Marrè, CISO at Arctic Wolf, said that what makes this new vulnerability particularly concerning is that it’s being actively exploited and appears to work even on fully patched systems. That immediately raises the risk profile. “Even without full visibility into the entire attack chain, the fact that initial access can be gained through something as routine as opening a PDF means organizations should treat this as a real and present security event,” he said. “From there, the potential impact can range from limited data exposure to follow‑on activity if attackers are able to deliver additional payloads.”
This becomes a matter of managing risk in real time, he pointed out. “When a trusted tool suddenly falls outside an organization’s acceptable risk threshold, the priority shifts to reducing exposure and increasing visibility. That may mean reassessing where the software is truly necessary, tightening how untrusted content is handled, and ensuring monitoring is in place to quickly detect any abnormal behavior,” he said.
“Just as important is what happens after containment,” he added. “Incidents like this are an opportunity to evaluate what controls held up, where gaps surfaced, and how to operationalize those lessons. Threats tied to everyday user behavior aren’t going away, so resilience depends on learning quickly and adapting just as fast.”
No Responses